Monday, 12 August 2013

Debugging Stop 0xC4 - Invalid Handle

Stop 0xC4 is a bugcheck produced when Driver Verifier finds a driver which violates one or more of it's current settings. The first parameter points to the type of violation, and in this example, the violation is the use of a invalid handle; a user-mode handle is being used within kernel-mode.

A handle is very simply a reference to an object. An object is usually some kind of system resource, but for this example, the handle belongs to a process object.

We can see the driver we caused the problem, but let's investigate further into dump file (please note this is a Minidump), the third parameter contains the address of the process which owns the handle.

We can use the !process extension with the third parameter to gain some information about the process, and any associated threads owned by the process.

We can view the working set for the current process (useful for Stop 0xF4), and also the currently associated thread.

Here, we could use the !handle extension with the address of the process, to view all the handles owned by the process, but unfortunately this information was not retained within the Minidump.

For all those interested, the process was related to ASUS AI Suite II, or more commonly ASUS bloatware.